What This Tool Does
This JWT decoder parses JSON Web Tokens and displays the decoded header and payload sections. It highlights important claims (iss, sub, aud, exp, iat, nbf), converts timestamps to human-readable dates, and flags expired tokens. Decoding happens entirely in your browser — your tokens never leave your device.
Inputs Explained
- JWT Token: Paste a full JWT token (three Base64URL sections separated by dots).
How It Works
A JWT has three parts separated by dots: header.payload.signature. The first two are URL-safe Base64 encoded JSON. The tool splits on dots, Base64URL-decodes each section, and parses the resulting JSON to display cleanly. The signature is NOT verified (that would require the secret key).
Formula / Logic Used
JWT Decoder
Paste any JWT token and instantly see its header, payload, and claim details.
Step-by-Step Example
Token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiUmFtZXNoIn0.sig
Header: {"alg":"HS256"}
Payload: {"sub":"123","name":"Ramesh"}
The signature section is shown as-is — this tool does not verify signatures. For that, you need the secret key and a proper JWT library.
Use Cases
- API debugging: Inspect tokens returned by your auth endpoint to verify claims are correct.
- Token expiry checks: See when a token expires and when it was issued in human-readable format.
- Claim inspection: View custom claims (user roles, permissions) inside access tokens.
- Learning JWT structure: Understand the three-part format and how claims are encoded.
- Integration testing: Confirm your backend is issuing the correct audience, issuer, and expiry values.
Assumptions and Limitations
- This tool only DECODES the JWT — it does NOT verify the signature. Anyone can create a JWT with arbitrary content.
- Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) and is intentionally not supported to avoid key handling.
- JWE (encrypted JWT) tokens are not supported — this tool handles JWS (signed) tokens only.
- Expiry check uses your local system clock; ensure it is correct for accurate results.
Frequently Asked Questions
Does this tool verify the JWT signature?
No. Signature verification requires the secret key (for HMAC) or public key (for RSA/ECDSA). This tool focuses on decoding and inspection only. For full verification, use a proper JWT library in your application code.
Is it safe to paste my JWT here?
The token is processed entirely in your browser — no data is sent to any server. However, JWTs are sensitive credentials; if yours is a production access token, treat it like a password and use it on trusted devices only.
What's in a JWT header?
The header typically contains the algorithm (alg) used to sign the token and the token type (typ, usually JWT). Common algorithms: HS256 (HMAC-SHA256), RS256 (RSA-SHA256), ES256 (ECDSA-SHA256).
What are the standard JWT claims?
Standard claims include iss (issuer), sub (subject, usually user ID), aud (audience), exp (expiry), iat (issued at), nbf (not before), and jti (unique token ID). Applications add custom claims for user roles, permissions, and metadata.
Why is the token expired but still accepted?
The tool checks expiry against your local system clock. If your clock is wrong, or if the server has a different clock tolerance, expiry behavior may differ. Check your system time and server's allowed clock skew.
What's the difference between JWS and JWE?
JWS (JSON Web Signature) tokens are signed but not encrypted — the payload is visible to anyone. JWE (JSON Web Encryption) tokens are encrypted. Most web apps use JWS. This tool decodes JWS only.
Can I see the signature value?
The tool shows the three dot-separated parts. The third part is the signature (Base64URL encoded). Decoding it produces the raw signature bytes, which are meaningless without the verification key.
Is my token data stored anywhere?
No. All decoding happens in your browser. The token, header, and payload never leave your device.
Sources and References
- RFC 7519 — JSON Web Token (JWT) — Official JWT specification.
- RFC 7515 — JSON Web Signature (JWS) — JWT signing format specification.
- JWT.io — Official site for JWT learning and debugging.
- OWASP — JWT Cheat Sheet — Best practices for secure JWT usage.